| https://gvisor.dev/docs/architecture_guide/platforms/ : > gVisor requires a platform to implement interception of syscalls, basic context switching, and memory mapping functionality. Internally, gVisor uses an abstraction sensibly called Platform. Chrome sandbox: https://chromium.googlesource.com/chromium/src/+/refs/heads/... Firefox sandbox: https://wiki.mozilla.org/Security/Sandbox Chromium sandbox types summary: https://github.com/chromium/chromium/blob/main/docs/linux/sa... Minijail: https://github.com/google/minijail : > Minijail is a sandboxing and containment tool used in ChromeOS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself. Chrome vulnerability reward amounts: https://bughunters.google.com/about/rules/5745167867576320/c... Systemd has SystemCallFilter= to limit processes to certain syscall:
https://news.ycombinator.com/item?id=36693366 Nerdctl:
https://github.com/containerd/nerdctl Nerdctl, podman, and podman-remote do rootless containers. |